From 2ffcab212c7ff4bd1ed6f44ce11522a76dd93d04 Mon Sep 17 00:00:00 2001
From: natto1784 <singh.amneesh1784@gmail.com>
Date: Mon, 7 Jun 2021 10:23:28 +0530
Subject: [PATCH] Remilia: add SNM and vault-agent

---
 flake.nix                            |  4 ++-
 hosts/servers/remilia.nix            |  1 +
 hosts/servers/remilia/mailserver.nix | 16 +++++++++
 hosts/servers/remilia/networking.nix |  9 +++--
 hosts/servers/remilia/services.nix   | 52 ++++++++++++++++++++++------
 5 files changed, 69 insertions(+), 13 deletions(-)
 create mode 100644 hosts/servers/remilia/mailserver.nix

diff --git a/flake.nix b/flake.nix
index c6a41c6..a741f14 100644
--- a/flake.nix
+++ b/flake.nix
@@ -73,7 +73,7 @@
         modules = [ 
           ./modules/vault-agent.nix
           ./hosts/servers/marisa.nix
-          inputs.mailserver.nixosModules.mailserver
+          #inputs.mailserver.nixosModules.mailserver
           {
             nixpkgs.pkgs = self.packages.aarch64-linux; 
           }
@@ -93,7 +93,9 @@
       Remilia = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [ 
+          ./modules/vault-agent.nix
           ./hosts/servers/remilia.nix
+          inputs.mailserver.nixosModules.mailserver
           {
             nixpkgs.pkgs = self.packages.x86_64-linux; 
           }
diff --git a/hosts/servers/remilia.nix b/hosts/servers/remilia.nix
index 17c203d..9f94606 100755
--- a/hosts/servers/remilia.nix
+++ b/hosts/servers/remilia.nix
@@ -9,6 +9,7 @@
     ./remilia/boot.nix
     ./remilia/services.nix
     ./remilia/builder.nix
+    ./remilia/mailserver.nix
     ../../configs/nvim.nix
   ];
  # programs.gnupg.agent.enable = lib.mkForce false;
diff --git a/hosts/servers/remilia/mailserver.nix b/hosts/servers/remilia/mailserver.nix
new file mode 100644
index 0000000..4f42f87
--- /dev/null
+++ b/hosts/servers/remilia/mailserver.nix
@@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+{
+  mailserver = {
+    enable = true;
+    fqdn = "mail.weirdnatto.in";
+    domains = [ "weirdnatto.in" ];
+    loginAccounts = {
+      "natto@weirdnatto.in" = {
+        hashedPasswordFile = "/var/secrets/natto@weirdnatto.in.key";
+        aliases = ["@weirdnatto.in"];
+      };
+    };
+    enablePop3 = false;
+    enablePop3Ssl = false;
+  };
+}
diff --git a/hosts/servers/remilia/networking.nix b/hosts/servers/remilia/networking.nix
index 28af060..66ae7b3 100755
--- a/hosts/servers/remilia/networking.nix
+++ b/hosts/servers/remilia/networking.nix
@@ -6,7 +6,12 @@
     firewall = {
       interfaces = {
         ens3 = {
-          allowedTCPPorts = [ 22 80 443 ];
+          allowedTCPPorts = [ 
+            22
+            80 81
+            443 444
+            993 465 143 25 
+          ];
           allowedUDPPorts = [ 17840 ];
         };
       };
@@ -33,7 +38,7 @@
           ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
           ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.55.0.0/24 -o ${config.networking.nat.externalInterface} -j MASQUERADE
         '';
-        privateKeyFile = "/var/secrets/wg";
+        privateKeyFile = "/var/secrets/wg.key";
         peers = [
           {
             publicKey = "m9SSpkj+r2QY4YEUMEoTkbOI/L7C39Kh6m45QZ5mkw4=";
diff --git a/hosts/servers/remilia/services.nix b/hosts/servers/remilia/services.nix
index 422e9a1..a0e813b 100755
--- a/hosts/servers/remilia/services.nix
+++ b/hosts/servers/remilia/services.nix
@@ -1,18 +1,20 @@
 {config, pkgs, ...}:
 {
   services = {
-    openssh = {
-      enable = true;
+    openssh = { enable = true;
       permitRootLogin = "yes";
     };
     nginx = {
       enable = true;
-      package = pkgs.nginx;
+      package = (pkgs.nginx.overrideAttrs(oa: {
+        configureFlags = oa.configureFlags ++ [ "--with-mail" "--with-mail_ssl_module" ];
+      }));
       virtualHosts = {
         "weirdnatto.in" = {
           addSSL = true;
           enableACME = true;
           locations."/".proxyPass = "http://10.55.0.2:80";
+          serverAliases = [ "www.weirdnatto.in" ];
         };
         "git.weirdnatto.in" = {
           addSSL = true;
@@ -21,27 +23,57 @@
             proxyPass = "http://10.55.0.2:5001";
             extraConfig = ''
               proxy_set_header Host $host;
-              '';
+            '';
           };
         };
-        "mail.weirdnatto.in" = {
-          addSSL = true;
-          enableACME = true;
-          locations."/" = {};
-        };
       };
     };
+    vault-agent = {
+      enable = true;
+      settings = {
+        vault = {
+          address = "https://10.55.0.2:8800";
+          client_cert = "/var/vault/cert.pem";
+          client_key = "/var/vault/key.pem";
+        };
+        auto_auth = {
+          method = [
+            {
+              "cert" = {
+                name = "Remilia";
+              };
+            }
+          ];
+        };
+        template = [
+          {
+            source = pkgs.writeText "wg.tpl" ''
+              {{ with secret "kv/systems/Remilia/wg" }}{{ .Data.data.private }}{{ end }}
+            '';
+            destination = "/var/secrets/wg.key";
+          }
+          {
+            source = pkgs.writeText "natto@weirdnatto.in.tpl" ''
+              {{ with secret "kv/systems/Remilia" }}{{ .Data.data.nattomail }}{{ end }}
+            '';
+            destination = "/var/secrets/natto@weirdnatto.in.key";
+          }
+        ];
+      };
+    };
+
   };
 
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHingN2Aho+KGgEvBMjtoez+W1svl9uVoa4vG0d646j"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILCH975XCps+VCzo8Fpp5BkbtiFmj9y3//FBVYlQ7/yo"
   ];
   security.acme = {
     acceptTerms = true;
     certs = {
       "weirdnatto.in".email = "natto+acme@weirdnatto.in";    
       "git.weirdnatto.in".email = "git+acme@weirdnatto.in";    
-      "mail.weirdnatto.in".email = "mail+acme@weirdnatto.in";    
     };
   };
+  security.pki.certificateFiles = [ ../../../cert.pem ];
 }